Game theoretic models for detecting network intrusions OPLab 1
Agenda Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion 2
Game theoretic models for detecting network intrusions Author: Hadi Otrok *, Mona Mehrandish, Chadi Assi, Mourad Debbabi, Prabir Bhattacharya Computer Security Laboratory, Concordia Institute for Information Systems Engineering, Concordia University, Montreal Source: Computer Communications 31 (2008) Year of publication:
Agenda Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion 4
Abstract Use game theory to solve the problem of detecting intrusions in wired infrastructure networks. Develop a packet sampling strategy to reduce the success chances of an intruder with sampling budget. Two scenarios: Single intruder with multiple packets Cooperative intruders If packets are independently analyzed then the intrusion will not be detected. 5
Abstract(Cont.) Non-cooperative game theory is used, where the two players are: the smart intruder or the cooperative intruders (depends on the scenario) the Intrusion Detection System (IDS) The intruder(s) will know their attack strategy and the IDS to have an optimal sampling strategy in order to detect the malicious packets. 6
Agenda Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion 7
Introduction Wired infrastructure-based networks are designed to be secure networks : by using firewalls and encryption techniques Still suffer from types of intrusions : denial of service attack attempts to penetrate the network. Intrusion Detection System (IDS) as a second line of defense. IDS detects an unusual activity : by monitoring and analyzing the network traffic 8
Introduction(Cont.) Analyzing the traffic is achieved by : considering the whole traffic sampling a portion of the traffic Analyzing the whole traffic costs too much. Sampling costs less but has lower detection rate. Finding a strategy enhancing the probability of detection using sampling is considered challenging. Harder problem considering intruder(s) sending an intrusion through multiple fragments. If IDS analyzes these fragments independently, it will not be able to detect the intrusion. 9
Introduction(Cont.) Scenario 1 : a smart intruder able to divide the intrusion over different fragments the intruder is able to select the routing paths to inject the fragments IDS objective is to sample according to the sampling budget looking for the fragments at least m out of n. Scenario 2 : a group of cooperative intruders sending a series of fragments from different sources using different routes. IDS divides the sampling budget over the intruders This work develops a network packet sampling policy by finding the value of the game using a min–max strategy. 10
Introduction(Cont.) Game theory has been applied to many disciplines : including economics, political science, and computer science. Game theory usually considers a multiplayer decision problem where multiple players with different objectives can compete and interact with each other. Game theory classifies games into two categorizes: non-cooperative and cooperative. Non-cooperative games are games with two or more players that are competing with each other. Cooperative games are games with multi-players cooperating with each other in order to achieve the greatest possible total benefits. 11
Agenda Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion 12
Problem Statement 13
Problem Statement(Cont.) 14
Problem Statement(Cont.) In the first scenario, we assume that the game is played on an infrastructure-based network between two players: the IDS and the intruder. The objective of the intruder is to inject n a-fragments from some attacking node a ∈ N with the intention of attacking a target node t ∈ N. In order to detect the intrusion, the IDS is allowed to sample packets in the network. It is assumed that sampling takes place on the links in the network. 15
Problem Statement(Cont.) In the second scenario, assuming the set of cooperative intruders as one player, we model the game as a zero-sum game with complete information about the: IDS and intruders. The objective of each intruder x ∈ Ω is to send an a-fragment to the target node t. To detect the intrusion, the IDS samples packets traffic on each link in the network. 16
Problem Statement(Cont.) The IDS has a sampling budget of packets/second. The budget can be distributed arbitrarily over the links in the network, and can be viewed as the maximum rate the IDS can process in real-time. If a link, with traffic flowing on it, is sampled at rate, the probability of sampling a malicious fragment on this link is given by Sampling constraint : Assume that all the players have complete information about the topology of the network and all the link flows in the network. 17
Problem Statement(Cont.) 18
Agenda Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion 19
Scenario 1 Having the intruder and IDS each chosen their strategies(their probability distributions), the probability of sampling an a-fragment traversing from node a to node t is the sum of probability of taking each path times the probability of sampling the a-fragment on that particular path over all possible routes from a to t. 20
Scenario 1(Cont.) The probability of detecting an intrusion that requires exactly m a-fragments is, The IDS will detect the intrusion if at least m a-fragments are sampled, 21
Scenario 1(Cont.) The IDS will choose a strategy that maximizes the detection probability: 22
Scenario 1(Cont.) On the other hand, the objective of the intruder is to choose a distribution q and number of fragments n that minimize this maximum value. In other words, the objective is: Similarly, the objective of the IDS becomes: 23
Scenario 1(Cont.) This is a classical two person zero-sum game. There exists an optimal solution to the intrusion detection game where the following noted min–max result holds, 24
Scenario 1(Cont.) Due to the mathematical complexity on solving the game in Eq. (7), the paper solve the game for the case an intrusion detection requires only m a-fragments out of n. By recalling Eq. (2), the game is reduced to the following: 25
Scenario 1(Cont.) Considering the intruder problem the game is reduced to the following: For a fixed q, it is sufficient to solve the following: For a fixed n to maximize the expression above we have to maximize m and α. 26
Scenario 1(Cont.) 27
Scenario 1(Cont.) The second derivative at critical value m=n α where the simplified form is given as follows: From this we can conclude that Γ has a maximum at m=n α. Therefore, the work to be done is to maximize α. 28
Scenario 1(Cont.) 29
Scenario 1(Cont.) This objective function is non-linear which makes the problem intractable. Given the assumption of sampling is bounded with a budget that restricts the sampling efforts, the work allocates sampling efforts on the links that belongs to the set. Since sampling will be done for at most one link in path P, we can rewrite Eq. (16) as: 30
Scenario 1(Cont.) 31
Scenario 1(Cont.) Associating a dual variable λ, we obtain the following dual optimization problem with the corresponding constraints: 32
Scenario 1(Cont.) 33
Scenario 1(Cont.) 34
Scenario 1(Cont.) 35
Scenario 1(Cont.) 36
Scenario 1(Cont.) In Fig. 2, the numbers next to the links are the flows on the links. Suppose that there is a sampling budget Bs of 12 units for the IDS. Additionally, we assume the intruder’s fragmentation is equal to 3 where a=A and t=I are the intruder and victim respectively. The minimum cut (and hence the maximum flow) has a value of 29 units. 37
Scenario 1(Cont.) The intruder launches the attack over 3 fragments where each fragment is forwarded according to the following strategy: Transmit the malicious fragment along the path A–C–E–I with probability 11/29. Transmit the malicious fragment along the path A–B–G–H–I with probability 8/29. Transmit the malicious fragment along the path A–B–D–F–I with probability 7/29. Transmit the malicious fragment along the path A–B–D–G–H–I with probability 2/29. Transmit the malicious fragment along the path A–B–D–E–F–I with probability 1/29. 38
Scenario 1(Cont.) 39
Agenda Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion 40
Scenario 2 In scenario 2, the work extends the previous game to the case where multiple intruders will cooperate with each other to attack the same target. The intrusion is fragmented to n fragments. The objective of each intruder x ∈ Ω is to send a fragment of the intrusion to the target node t where | Ω | is the number of intruders. 41
Scenario 2(Cont.) The intruders and IDS should choose their strategies(probability distributions). The objective of each intruder is to inject a fragment of the intrusion by selecting the path that can reduce the IDS probability of detection. For any node x ∈ Ω, the probability of detecting a fragment of the intrusion traversing from node x to node t is : 42
Scenario 2(Cont.) Define the function Φ to be the mean value of detecting the intrusion through sampling: 43
Scenario 2(Cont.) On the other hand, the cooperative intruders aim at minimizing Eq. (22), which will be done by assigning probabilities for all possible routes to the target node: 44
Scenario 2(Cont.) 45
Scenario 2(Cont.) Solving the min–max problem formulated, first we consider the intruders’ problem: Therefore, the problem simplifies to: 46
Scenario 2(Cont.) 47
Scenario 2(Cont.) 48
Scenario 2(Cont.) Using the same approach, the game reduces to the following: 49
Scenario 2(Cont.) 50
Scenario 2(Cont.) 51
Scenario 2(Cont.) 52
Scenario 2(Cont.) 53
Scenario 2(Cont.) The IDS will sample the links as follows: 54
Agenda Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion 55
Numerical results This section evaluates the reliability of the game model on improving the probability of detection compared to two different approaches: Random Uniform Random is a model where sampling is done on random links. Uniform model is achieved through dividing the sampling effort equally over the links. All the models must satisfy the sampling budget constraint. The work is done by using C++ as the programming language and Fig. 3 as the network graph. 56
Numerical results(Cont.) 57
Numerical results(Cont.) First, consider the scenario where a single intruder transmits the a-fragments to a target node in order to launch the attack. An intrusion detection is fulfilled if half of the a-fragments are detected. Moreover, assume that A is the attacker and I is the target. Fig. 4 shows the detection probability as a function of the budget, where the budget varies from 1 to 150 (packets/second). 58
Numerical results(Cont.) 59
Numerical results(Cont.) The maximum flow between A and I is 99. As the budget reaches the maximum flow, the probability of detection becomes close to 1. This is because sampling effort are not randomly or uniformly on all the edges but on the minimum cut edges, where every packet transmitted from the attacker to the target has to traverse at least one of the links in the minimum cut set. From the min-cut theorem, we know that the summation of flows in the minimum cut is equal to the maximum flow. If the sampling budget is equal to or greater than the maximum flow between the attacker and target, we can sample with a rate equal to the actual flow on each link in the minimum cut. Thus, any packet either normal or malicious would be sampled ensuring that the intrusion is being detected. 60
Numerical results(Cont.) Fig. 5 illustrates the results of another scenario, where an intruder A transmits different number of a-fragments to a target node I having a constant sampling budget equal to 60. The attacker transmits the a-fragments through different paths. Note that there are 12 paths from A to I that could be selected randomly by the intruder. Here, the detection probability is demonstrated as a function of the number of a-fragments. 61
Numerical results(Cont.) 62
Numerical results(Cont.) The detection probability for odd number of a-fragments is less than the even ones. It is due to the fact that the IDS needs at least half of the a-fragments which is one more for the case of odd numbers. In case of larger networks, this difference between odd and even number of packets would be neglected. Using the same terminology as in the previous scenario, this theoretic framework presents better results than the other two models. 63
Numerical results(Cont.) Finally, the multi-intruder scenario, where n cooperating intruders distribute the attack over n a-fragments. The attack is successful if half of these a-fragments reach the target node without being detected. Sampling budget is set to
Numerical results(Cont.) 65
Numerical results(Cont.) The detection probability decreases as the number of intruders increases, because the IDS has to divide the budget. When the number of intruders is less than 60% of the total number of nodes in the network, focusing the sampling budget on the union of the minimum cuts for each intruder and the target node, helps in increasing the detection probability. 66
Numerical results(Cont.) As the number of intruders increases, more and more links are added to the union of critical edges. Thus, the set of the links becomes comparable to the total number of links. In this case, the sampling budget is divided by the number of attackers, and the sampling rate would be multiplied by this small sampling budget. Thus, the sampling probability decreases. 67
Numerical results(Cont.) For random and uniform strategy, the budget is independent of the number of attackers. They continue to sample almost with the same rate for any number of attackers. This shows why the uniform and random methods provide better results over the game one in the case where intruders presence exceed 50%. 68
Agenda Abstract Introduction Problem Statement Scenario 1 : single intruder with multiple packets Scenario 2 : cooperative intruders Numerical results Conclusion 69
Conclusion The work considered the problem of intrusion detection in a network by means of packet sampling. Given a total sampling budget, they developed a network packet sampling strategy to effectively reduce the success chances of an intruder. They considered two different scenarios where the adversary(s) has(have) considerable information about the network and can select paths to minimize chances of detection. 70
Conclusion(Cont.) In the case of a single intruder, they formulated the intrusion detection problem as a zero-sum two-player game with complete information about the players. They solved the game considering the case where the intrusion detection requires m out of n fragments. 71
Conclusion(Cont.) They also considered the problem of multiple cooperating intruders where the attackers can select paths independently in order to reduce the chances of detection. They formulated the intrusion detection problem as a zero-sum non-cooperative game with complete information about the IDS and the set of attackers. Solving the game brings up strategies for both the IDS and the set of intruders. 72
Conclusion(Cont.) Finally, they evaluated their game solutions via numerical results, which show the effectiveness of their game theoretic models in detecting intrusions via sampling over random and uniform models. 73
Thank you for your listening 74